A sophisticated malware campaign, known as TamperedChef, has been identified leveraging seemingly legitimate productivity tools to infiltrate systems and exfiltrate sensitive information. This campaign underscores a concerning evolution in cybercriminal tactics, where trusted software categories are exploited to deploy malicious payloads.
Malware Distribution and Execution
The TamperedChef campaign centers around two primary applications: Calendaromatic.exe and ImageLooker.exe. These applications masquerade as benign productivity software, such as calendar tools and image viewers, while harboring malicious capabilities. Distributed through self-extracting 7-Zip archives, these applications exploit CVE-2025-0411 to evade Windows’ Mark of the Web protections. This exploitation allows them to execute without triggering SmartScreen warnings or other reputation-based security controls.
The malware employs deceptive advertising and search engine optimization techniques to direct victims toward malicious downloads. Users searching for free productivity utilities are often targeted, increasing the likelihood of successful infections.
Technical Sophistication and Evasion Techniques
TamperedChef showcases remarkable technical sophistication through its exploitation of modern application frameworks and advanced encoding techniques. Both Calendaromatic.exe and ImageLooker.exe are built using NeutralinoJS, a lightweight desktop framework that enables the execution of arbitrary JavaScript code within native applications. This framework choice allows the malware to seamlessly interact with system APIs while maintaining the appearance of legitimate desktop software.
The malware employs Unicode homoglyphs as a primary evasion mechanism, encoding malicious payloads within seemingly benign API responses. This technique enables the malware to bypass traditional string-based detection systems and signature matching algorithms that security products rely upon for identification. When executed, the malware decodes these hidden payloads and executes them through the NeutralinoJS runtime, effectively creating a covert execution channel that operates beneath the radar of conventional monitoring systems.
Persistence and Command-and-Control Communication
Upon installation, TamperedChef establishes persistence through the creation of scheduled tasks and registry modifications using specific command-line flags such as `–install`, `–enableupdate`, and `–fullupdate`. These mechanisms ensure the malware remains active and can receive updates or additional commands from its operators.
The malware communicates with command-and-control servers, including calendaromatic[.]com and movementxview[.]com, enabling remote operators to issue commands and exfiltrate collected data. This communication allows the attackers to maintain control over infected systems and adapt their tactics as needed.
Data Theft Capabilities
Once activated, TamperedChef demonstrates sophisticated information-stealing capabilities. The malware queries web browser databases using the Windows Data Protection API (DPAPI) to extract stored credentials and sensitive information. It systematically terminates browser processes to access locked data files, ensuring comprehensive data harvesting from popular web browsers.
Additionally, the malware conducts system reconnaissance, identifying installed security products before proceeding with its data exfiltration operations. This behavior suggests the threat actors have invested significant effort in developing evasion techniques to bypass common security solutions.
Abuse of Digital Certificates
The campaign’s legitimacy facade is reinforced through the abuse of digital certificates from multiple companies, including CROWN SKY LLC and LIMITED LIABILITY COMPANY APPSOLUTE. These certificates provide a veneer of legitimacy that helps bypass user suspicion and endpoint defenses. Investigation reveals these companies share suspicious characteristics, including generic websites with potentially AI-generated content and shared business addresses.
Particularly concerning is the discovery that certificates from these entities have been used to sign other malicious software, indicating a broader certificate abuse operation supporting multiple malware families.
Campaign Scope and Impact
The threat actors behind TamperedChef have demonstrated a long-term persistence in the threat landscape, with evidence suggesting activity dating back to August 2024. Their operations extend beyond the PDF editor to include other potentially unwanted programs, all sharing common command-and-control infrastructure.
European organizations have been significantly impacted, with multiple companies reporting employee infections after downloading the malicious PDF editor. The campaign’s success highlights the effectiveness of disguising malware as legitimate productivity tools—a category users typically trust and readily install.
Recommendations for Mitigation
The TamperedChef campaign serves as a stark reminder that even seemingly innocuous productivity tools can pose significant security risks. Organizations must implement robust software vetting procedures and maintain heightened awareness of free utilities from unknown sources. Specific recommendations include:
– Implement Application Whitelisting: Restrict the execution of unauthorized applications by maintaining a whitelist of approved software.
– Regularly Update Security Software: Ensure all security solutions are up-to-date to detect and prevent the latest threats.
– Educate Employees: Conduct regular training sessions to inform staff about the risks associated with downloading and installing software from unverified sources.
– Monitor Network Traffic: Utilize network monitoring tools to detect unusual communication patterns indicative of command-and-control activity.
– Review Digital Certificates: Scrutinize the digital certificates of installed software to identify potential abuses.
By adopting these measures, organizations can enhance their defenses against sophisticated malware campaigns like TamperedChef and protect their sensitive data from unauthorized access.
